Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/US > CIPP / US Questions > Flashcards

CIPP / US Questions Flashcards

You may prefer our related Brainscape-certified flashcards:
U.S. Geography flashcards
1
Q

Which of the following has a specific data retention and disposal requirement?

A. Fair and Accurate Credit Transactions Act
B. Any pre-emptive law
C. The Children’s Online Privacy Protection Act
D. The Cable Communications Policy Act

A

A. Fair and Accurate Credit Transactions Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is not applicable to international data transfers?

A. Fair and Accurate Credit Transactions Act
B. General Data Protection Regulation
C. The CLOUD Act
D. The Personal Information Protection and Electronic Documents Act

A

A. Fair and Accurate Credit Transactions Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can security be best described to privacy?

A

Privacy needs security, but security is not only about privacy?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is not an appropriate way for an international organization operating in the US to be compliant w/ European Privacy regulations?

A. Model contracts
B. European ownership of the organization
C. Binding Corporate Rules
D. Keeping all data in the country of origin

A

B. European ownership of the organization very important to know as a privacy professional the EU laws are something to look into (as will the laws in other countries that follow be). In the US there are still restrictions on processing data on European citizens, regardless of country of ownership, so B is the correct answer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following can be said about the Cable Communications Policy Act?

A. Video rental records cannot be disclosed freely
B. It has become redundant due to internet TV
C. Certain damages as a result of violations can be recovered because it provides right of action
D. There is no such law as the Cable Communications Policy Act

A

C. Certain damages as a result of violations can be recovered because it provides for private right of action

Cable Communications Policy Act:
• Regulates the notice a cable TV provider must furnish to customers, the ability of cable providers to collect PI, the ability of cable providers to disseminate PI and the retention and destruction of PI by cable TV providers
• Provides a private right of action for violations of the aforementioned provisions and allows for actual or statutory damages, punitive damages, reasonable attorney’s fees, and court costs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is true about privacy notices?

A. Only certain US laws require a privacy notice
B. Privacy notices are required for all websites in the US or targeted at a US audience
C. Changing a privacy notice mid-service is not deceptive
D. The CLOUD Act

A

A. Only certain US laws require a privacy notices. C is false and B is true depending on the type of website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does workforce training on privacy establish?

A

Increase the level of knowledge of staff, decreasing the chance of non-compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A merger between the US based company and affiliates in Asia and Canada is planned to take place. As a privacy office, what considerations would you bring to the CEO’s attention?

A

Data flow mapping. It is a great way to see which data you have and where it is going and coming from, so a great way to see which requirements you have to comply w/ for which data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is one of the important considerations for companies selling to consumers internationally?

A

Whether they actively target customers in other countries. When targeting different countries, different legislation could apply, which needs to be checked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is not a key attribute of security?

A. Confidentiality
B. Integrity
C. Delivery
D. Availability

A

C. Delivery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which type of security controls can be considered in developing a security strategy?

A. Physical, administrative, technical
B. Practice, reactive, distortive
C. Detective, cumulative, reactive
D. Physical, cosmetic, digital

A

A. Physical, administrative, technical. In the context of security. The controls are most often physical, administrative, technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the best fitting description of a data breach?

A

A break into security measures resulting in the unauthorized access of data for a breach, just remember that something must have gone wrong either malicious or incidental, where something didn’t work the way it should have worked (w/ exception depending on the definitions in the specific legislation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When a consent decree is published, what has happened?

A

The FTC and the other party entered in an agreement to stop a certain conduct, and the information is published for other organizations to see.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How can the Federal Trade Commission be best described?

A

A part of the executive branch w/ rulemaking powers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Selfie Shenanigans is planning to implement its newest feature in US (only). It will analyze all uploaded photos for visible signs of health issues. The data is sold to the user’s health insurer which law would least possibly be broken?

A. HIPAA
B. Children’s Online Privacy Protection Act
C. GDPR
D. HITECH

A

C. GDPR only applies to Europe this was in the US only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Selfie Shenanigans. You find out the website has a privacy notice that is shown before users sign up. What needs to happen?

A

A check whether the new practice is allowed for, according to the privacy notice, needs to be performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

For which law does the FTC have specific authority?

A. GDPR
B. Children’s Online Privacy Protection Act
C. The APEC Privacy Framework
D. Fair Information Practices

A

B. Children’s Online Privacy Protection Act. Only US law, otherwise Fair Information Practices are mentioned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What safeguard is often put in place by researchers when using medical data for research?

A

The data is de-identified. De-identification lowers the risk of recognition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

HIPAA is quite strict. Which of the following statements is most accurate?

A. All medical data is covered by HIPAA
B. HIPAA is based on the 5th amend
C. Aspects of HIPAA can be disregarded when stricter state law is in place
D. All medical practitioners sign a HIPAA declaration before being authorized to practice medicine

A

C. Aspects of HIPAA can be disregarded when stricter law is in place. HIPAA does not preempt stricter law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

According to the confidentiality of substance use Disorder Patient Record Rule, what is required for disclosure of patient information?

A

Written patient consent, explicitly describing the type of information to be disclosed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is one of the limitations of HIPAA?

A

Some doctors are not covered by HIPAA. A doctor who accepts only cash is not covered under HIPAA. HIPAA does not preempt state law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following is not a key privacy protection under HIPAA?

A. Layered privacy notices
B. Administrative, physical and technical safeguards
C. A privacy professional for covered entities
D. Individuals are allowed to access and copy a designated record set

A

A. layered privacy notices are not a part of HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following preempts state law in most areas

A. The Fair and Accurate Credit Transactions Act
B. The Fair Credit Reporting Act
C. The Gramm-Leah Bliley Act
D. The Financial Turmoil Reconciliation Assurance Act

A

A. The Fair and Accurate Credit Transactions Act

The Fair and Accurate Credit Transactions Act (FACTA) of 2003
• Stricter state laws are preempted in most areas although states retain some powers are preempted in most areas, although states retain some powers to enact laws addressing identity theft
• Required truncation of credit and debit card numbers, so that receipts do not reveal the full credit or debit card number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The Fair Credit Reporting Act affects organizations life Equifax, Experian and Transunion. What are these organizations classified as?

A

Consumer Reporting Agencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following is required by the Fair and Accurate Credit Transactions Act and enhances privacy?

A. Receipts are legally stored for a period of 7 years
B. Credit card numbers are only allowed to be stored w/o the accompanying signature
C. Receipts are not allowed to reveal a full credit card # or debit card #
D. Receipts are only allowed to be issued digitally in specific situations

A

C. Receipts are not allowed to reveal a full credit card # or debit card #. One of the requirements is that a credit card # cannot be shown fully on a receipt. This prevents risking identity theft if the receipt falls in the wrong hands.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How can the disposal rule be most accurately described?

A

A way to ensure that a consumer report is disposed of properly after it is no longer needed or allowed to be used

Rule: requires any individual or entity that uses a consumer report, or info derived from consumer report, for a business purpose to dispose of that consumer info in a way that prevents unauthorized access & misuse of the data. Applies to both small & large orgs, including consumer reporting agencies, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors & gov’t agencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following is not true regarding the Red Flag Rule?

A. Originally required through Fair and Accurate Credit Transactions Act
B. Authorized the FTC and federal banking agencies
C. Certain financial entities are required to develop an identity theft detection program
D. Requires insurance against Identity Theft

A

D. Requires insurance against Identity Theft.

Red Flag Rule
• Required agencies that regulate financial entities to develop a set of rules to mandate the detection, prevention & mitigation of identity theft
• Eliminates entities that extend credit only “for expenses incidental to a service”
• Authorizes regulations that apply the rule to businesses whose account should be “subject to a reasonably foreseeable risk of identity theft”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What was US Bancorp accused of?

A

Sharing detailed customer information to a telemarketing firm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

To what kind of institutions does the Family Educational Rights and Privacy Act apply?

A

Educational institutions that receive federal funding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which type of information is still allowed to be disclosed under the Family Educational Right & Privacy Act?

A. Grade point average
B. Directory information
C. Home address students
D. Health insurance coverage

A

B. Directory information - is allowed to be disclosed. Whether the other three fall under FERPA can be debatable perhaps to some extent

31
Q

What is not true about the DO NOT Call registry?

A. Sellers & telemarketers are required to update their call lists annually
B. Only sellers, telemarketers & service providers may access the registry
C. Violations can lead to civil penalties
D. The DO NOT Call Registry is implemented by the FTC

A

A. Sellers are required to update their call lists annually - the call lists are required to be required every 31 days

32
Q

Which of the following is not true regarding consent to allow telemarketers and sellers to call a consumer?

A. Must include a signature
B. Consent requires a privacy notice
C. Must be in writing
D. Consent must be clear & conspicuous

A

Consent requires a privacy notice

33
Q

What are robocalls?

A

prerecorded calls

34
Q

The goal of the Controlling the Assault of non-solicited Pornography & Marketing Act is best described as which of the following?

A. Apply a paternalistic filtering of pornographic material so as to raise slipping moral standards
B. A way to respect individual rights & provide a way to indicate how wanted communication is
C. Eliminate phishing attacks & reducing the financial burden it causes
D. Allow parents to be in control over what messages their children receive

A

B. A way to respect individual right & provides a way to indicate how wanted the communication is

35
Q

Due to the 2007 revisions to the Federal Rules of Civil Procedures what is now required?

A

Redacting sensitive personal information

36
Q

Which of the following can be said about the Cable Communications Policy Act?

A. Video rental records cannot be disclosed freely
B. It has become redundant due to internet television
C. Certain damages as a result of violations can be recovered because it provides for a private right of action
D. There is no such law as the Cable Communications Policy Act

A

C. Certain damages as a result of violations can be recovered because it provides for private right of action

Cable Communications Privacy Act of 1984
• Regulates the notice a cable TV provider must furnish to customers, the ability of cable providers to collect PI, the ability of cable providers to disseminate PI and the retention and destruction of PI by cable TV providers
• Provides a private right of action for violations of the aforementioned provisions and allows for actual or statutory damages, punitive damages, reasonable attorney’s fees, and court costs

37
Q

Which state was the first to include a Do Not Track requirement in its laws?

A. New York
B. California
C. Washington
D. North Carolina

A

B. California

38
Q

Which of the following is not required of a subpoena according to the Federal Rule of Civil Procedure 45?

A. State the court from which it is issued
B. State the title of the action and its civil action number
C. Take photographic evidence of the receipt of the subpoena
D. Mention a person’s right to challenge or modify the subpoena

A

C. Take photographic evidence of the subpoena, A, B, and D are explicitly required

39
Q

How can courts prohibit the disclosure of personal information used or generated in litigation?

A. The court can issue a protective order
B. The court can issue a restrictive order
C. The court can issue a reactive order
D. The court can issue a national security letter

A

A. The court can issue a protective order

40
Q

What was the main concern with posting personal information used in bankruptcy cases online?

A. Stalking
B. Family Feuds
C. Identity theft
D. Data breaches

A

C. Identity theft

41
Q

Which of the following is not one of the four key guidelines from Sedona Conference?

A. Professionals from several disciplines should provide input into the e-mail retention policy
B. E-mail retention policies should continually be developed
C. A Chief Information Security Officer in charge of e-discovery
D. Industry standards should be taken into account

A

C. A Chief Information Security Officer in charge of e-discovery.

Rule:

  1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units;
  2. such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice;
  3. interdisciplinary teams should reach consensus as to policies while looking to industry standards;
  4. technical solutions should meet and parallel the functional requirements of the organization.
42
Q

What is the Communications Assistance to Law Enforcement Act also referred to?

A. The Pen Register
B. The Digital Telephony Bill
C. The Wire
D. Track and Trace

A

B. The Digital Telephony Bill

43
Q

In 2016 the FBI was quarreling with Apple. What was the quarrel about?

A. new firmware slowing down phones
B. helping gain access to the data on a seized phone
C. the tablets in the Federal Bureau of Investigation’s office could not fit the micro-SD required for the investigation
D. a cloud security breach exposing pictures of celebrities

A

B. Helping gain access to the data on a seized phone

44
Q

Which of the following is most accurate regarding workplace privacy?

A. Workplace privacy is the same in every state
B. US privacy protection at the workplace is the strictest in the world
C. Workers have a high level of influence in workplace practices
D. There is no law that covers privacy specifically

A

D. There is no law that covers privacy specifically

45
Q

Which of the following is not a source of protection for employees?

A. State labor laws
B. Contract and tort law
C. Overarching employment privacy law
D. Certain federal laws

A

C. Overarching employment privacy laws

46
Q

What is the most accurate comparison between US and EU workplace privacy?

A. the US inspired the EU legislation
B. the EU has no law that is applicable to the workplace
C. the US had cubicles, whereas in the EU cubicles are forbidden because of privacy concerns
D. EU employees data falls under the scope of the General Data Protection Regulation and offers more protection

A

D. EU employees data falls under the scope of the General Data Protection Regulation and offers more protection

47
Q

What can be said about the constitution’s Fourth Amendment?

A. it provides protection from employers
B. it provides protection from government employers
C. it doesn’t concern privacy
D. it only protects against the king of England

A

B. it provides protection from government employers

48
Q

In the US, it is employment at will. What is the consequence of this?

A. all legislation is rendered invalid
B. you can buy privacy
C. many aspects, covered by laws in other continents, are at the discretion of the employer
D. employees have no rights

A

C. many aspects, covered by laws in other continents, are at the discretion of the employer

49
Q

Which of the following is not tort that can be relied on as an employee in a privacy case?

A. intrusion upon seclusion
B. publicity given to private life
C. defamation
D. intellectual property

A

D. intellectual property

50
Q

Of the following laws, which does not have employment privacy implications?

A. The Children’s Online Privacy Protection Act
B. The Employee Retirement Income Security Act
C. HIPAA
D. The Fair Labor Standards Act

A

A. The Children’s Online Privacy Protection Act

51
Q

At which state of employment do employers need to take into account workplace privacy considerations

A. before employment
B. before, during, and after employment
C. during employment
D. after employment

A

B. before, during, and after employment

52
Q

What is true about Bring Your Own Device policies?

A. only company-issued equipment is allowed to be used
B. it brings along security risks and requires reconsideration of the level of monitoring
C. employees surrender their data when a Bring Your Own Device policy is in place
D. Bring Your Own Device practices are illegal

A

B. it brings along security risks and requires reconsideration of the level of monitoring

53
Q

Which of the following is a consequence of the Employee Polygraph Protection Act?

A. only grade A and B type polygraphs are allowed to be used
B. an employer cannot use a polygraph test to screen an applicant
C. a statement of sincerity is required to substitute a polygraph
D. employers cannot screen applicants

A

B. an employer cannot use a polygraph test to screen an applicant

54
Q

Which of the following agencies is not responsible for privacy enforcement?

A. The FTC
B. Department of Education
C. FCC
D.Certain agencies of the executive branch

A

B. Department of Education

55
Q

What is true of the FTC?

A. The FTC is an independent agency
B. The FTC falls under direct control of the president
C. The FTC focuses solely on privacy
D. The FTC focuses solely on security

A

A. The FTC is an independent agency

56
Q

What was the issue in the Designerware, LLC
case?

A. the leaking of a large amount of credit card numbers
B. key loggers, unexpected screenshots and photographs
C. a break-in on one of the servers that stored social security numbers
D. unauthorized disclosure of collected sensitive data

A

B. key loggers, unexpected screenshots and photographs

57
Q

When is a data breach to be reported?

A. above 200 persons
B. above 100 persons
C. if minors are involved
D. depends on the state and breach size

A

D. depends on the state and breach size

58
Q

Is ransomware a data breach?

A. always
B. never
C. depends on whether unauthorized access has been established
D. not if the information was backed up

A

C. depends on whether unauthorized access has been established

Ransomware - (a type of malware)

(1) locks a user’s operating system, restricting the user’s access to their data &/ or device, or
(2) encrypts the data so that the user is prevented from accessing his or her files

59
Q

Certain national laws preempt state law. Out of the following choices, how can preempting best be described?

A. privacy notice, under many circumstances, can be overruled by state law
B. laws of an inferior government can be superseded by those of a superior government
C. if a state has no law, it is preempted by national law
D. federal judges can preempt the president and a large part of the executive branch

A

B. laws of an inferior government can be superseded by those of a superior government

60
Q

Although there are many actions an individual can take to battle injustice, which of the following most accurately describes the private right of action?

A. to carry a concealed weapon and use it protect your privacy when someone attempts to enter your domicile
B. to start a lawsuit when a law is violated
C. to enforce the binding rules of a privacy notice
D. to forbid organizations from processing the data of minors that you are the legal guardian of

A

B. to start a lawsuit when a law is violated

61
Q

If an agency has authority, there are two types of authority that agency can have. Which type of authority does the FTC have?

A. general authority
B. specific authority
C. general authority as well as specific authority
D. operational authority

A

C. general authority as well as specific authority

62
Q

Many references to privacy can be found all throughout recorded history. When looking at laws regarding Personal Information, which class of privacy does law concerning Personal Information pertain to?

A. bodily privacy
B. territorial privacy
C. communications privacy
D. information privacy

A

D. information privacy

63
Q

Which of the following is not (yet) part of the Fair Information Practices?

A. notice
B. choice and consent
C. disclosure
D. legal basis

A

D. legal basis

64
Q

All over the world, different models of privacy protection are adopted. Which of the following is true regarding models of privacy protection?

A. in the US there is a sectoral model, and in the EU there is a comprehensive model
B. the US only uses the co-regulatory model
C. Europe has a strong focus on the self-regulatory model
D. the laws in the US fall under the comprehensive model

A

A. in the US there is a sectoral model, and in the EU there is a comprehensive model

65
Q

Which of the following best describes the relationship between case law and common law?

A. common law needs case law to exist
B. common law is based on principles
C. case law is solely the judge’s opinion
D. case law is fluid and allows for presidential intervention

A

A. common law needs case law to exist

66
Q

When can an organization most likely most likely be in trouble for violating contract law?

A. when someone provided their data based on the practices mentioned in the privacy notice
B. when a data subject disagrees with a privacy notice
C. when a privacy notice is not in the local language
D. when a privacy notice is not on the organization’s website

A

A. when someone provided their data based on the practices mentioned in the privacy notice

67
Q

How can Personal Information best be described?

A. any information relating to a natural person
B. this depends on the field and even state law
C. directory information
D. information of value

A

B. this depends on the field and even state law

68
Q

Which comprehensive privacy laws there in the US?

A. the Children’s Online Privacy Protection Act
B. HIPAA
C. None, there are no comprehensive privacy laws in the US
D. GDPR

A

C. None, there are no comprehensive privacy laws in the US

69
Q

Of the following, which are three different tort categories?

A. negligence, notice breach, intrusion
B. intrusion upon seclusion, strict liability
C. intentional, negligent, strict liability
D. privacy notice breach, wrongful intrusion, defamation

A

C. intentional, negligent, strict liability

70
Q

Which of the following is most restrictive for employers in the US in relation to privacy?

A. HIPAA
B. Children’s Online Privacy Protection Act
C. Fourth Amendment
D. Fair and Accurate Credit Transactions

A

C. Fourth Amendment

71
Q

What is the most likely purpose for which an organization creates a data inventory?

A. showing the public which data is stored
B. creating an overview of data, helpful for creating a compliance and security approach
C. complying with a US legal requirement
D. identifying storage size requirements

A

B. creating an overview of data, helpful for creating a compliance and security approach

72
Q

Which of the following statements is not true regarding data classification?

A. organizations are free to classify data elements a certain way to place it inside or outside of the scope of certain laws
B. data classification can help identify applicable laws
C. to assist in creating a security strategy
D. help breach response

A

A. organizations are free to classify data elements a certain way to place it inside or outside of the scope of certain laws

73
Q

What is not the result of an organization starting a privacy program?

A. awareness amongst employees
B. reduced risk of compliance issues
C. an increase in breach detection rate and breach response time
D. full future proof of compliance with privacy legislation

A

D. full future proof of compliance with privacy legislation

74
Q

What is the name of the guidelines developed by the Asia-Pacific Economic Cooperation?

A. the OECD guidelines
B. The IT Act
C. The Fair Information Practices
D. The APEC Privacy framework

A

D. The APEC Privacy framework

CIPP/US (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions